Table of Contents
´
USING Remote Access
Access to BCF systems is available via different methods. Please select the best method depending on your requirement.
Web-based access
BCF is operating a JupyterHub instance which allows easy access to the BCF system via a web browser. Details can be found here. You need a valid BCF account, a device for two factor authentication (TOTP) and enabled compute cluster access for your account.
SSH based access
SSH (“secure shell”) is a standard protocol for remote access. In addition to shell access it is also able to provider tunneling and proxy support.
Requirements for ssh access
You need to meet the following requirements for ssh access:
- a valid and active BCF account
- a registered SSH public key
- a running SSH agent on the client
Jump host
BCF access is available via the central jump host login.computational.bio.uni-giessen.de
As jump host this system allows connections from the internet, but is not configured to execute applications. It's sole purpose is relaying connections to internal hosts. Access to files (home directories, volumes) is not possible on the jump host.
Execution host
The main target for connections via the jump host is the internal host for interactive work, cli.intra. This is a dedicated machine for executing simple application, access the compute cluster, run remote backends etc. Since this host is shared among all users, resource limits have been configuration per user. Each user limited to 16 GB RAM. CPU resources are distributed among all user, which each user having a guaranteed share. This prevents single users from occupying all resources and ensures that each user has enough resources available.
Network architecture for accessing resources in the bcf system
The diagram explains how to access systems in the intranet from outside the intranet and how to access systems outside the intranet from inside the intranet. The following sections describe how to configure your system for each of the usage scenarios.
SSH agent
The SSH agent is a small application running on the user's local system. It caches the private SSH keys if necessary and allows remote hosts to access the key via agent forwarding. In case of the jump host the agent is mandatory. Without home directories on the jump host authentication on the next hosts will not be possible otherwise. All ssh implementations (Linux, MacOS, Windows) support SSH agent. Please consult the documentation of your SSH login tool of choice.
Example configurations
These configurations can be used in the local ssh configuration file (e.g. ~/.ssh/config
on Linux systems) to define parameters for ssh connections.
Direct access to ''cli.intra''
The following example defines a connection to the interactive host via the jump host:
Host login login.computational.bio.uni-giessen.de HostName login.computational.bio.uni-giessen.de User <your-username> ForwardAgent yes Host cli cli.intra HostName cli.intra User <your-username> ForwardAgent yes ProxyJump login
The Host
lines defines the name for the host. This name is used later in the ssh invocation. If you do not want to use the original hostname for convenience, you can also use an arbitrary name.
HostName
is the name of the target host. If a jump host is used, the given name has to be resolvable on the jump host, not on your local system. E.g. the intra
domain in the example is only valid within the BCF systems. ProxyJump
define the jump host to use. SSH will create a connection to this host, and then connect to the host given by HostName
(if present) or the Host
argument.
ForwardAgent
finally ensures that the local SSH agent can be used on the jump host. User
defines as which user you want to connect and it must match your bcf username.
Before you start the SSH connection you might want to ensure that your local SSH agent already knows your SSH key. Otherwise you will have to enter the passphrase for your key for any hop. Keys can be added with ssh-add
. Running it without arguments will ask for the passphrase of your default SSH key and add it to the agent.
You can then start the connection with
ssh cli
On the first connection attempt SSH will ask you to verify the SSH host keys for the jump host and the interactive host:
$ssh login.computational.bio.uni-giessen.de The authenticity of host 'login.computational.bio.uni-giessen.de (134.176.31.211)' can't be established. ED25519 key fingerprint is SHA256:KblsCBQDN9ElYznvsKyc12N9I+Trn9e2ChNTQFvDSj4. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])?
and
The authenticity of host 'cli.intra (192.168.2.97)' can't be established. ED25519 key fingerprint is SHA256:RqtCXKMtNeZ9lZSZ8fNzUFKsHLNQmU6yTR4o72iTn98. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])?
Depending on the configuration of your SSH client it may automatically accept host keys. The exact format of the fingerprint depends on the key algorithm used. In the example above the ED25519 algorithm is used, other variants are ECDSA or RSA. Newer SSH clients will try to use ED25519.
Access ''cli.intra'' via putty on windows
Load your ssh key in pageant
, the ssh-agent for putty
. Once loaded you can connect to cli.intra
with the following configuration in putty:
Connection -> Proxy -> Proxy Hostname: login.computational.bio.uni-giessen.de -> Port: 22 -> Proxy type: SSH to proxy and use port forwarding -> Username: <username> Connection -> Data -> Auto-login username: <username> Session -> -> Hostname: cli.intra -> Port: 22 # If you want to use agent-forwarding: Connection -> SSH -> Auth -> Allow agent forwarding: activate
Transferring data
The jump host does not provide access to any storage (home directories, volume). It can not be used to transfer data to or from the BCF systems. These transfers can be I/O intensive and interfere with interactive user sessions.
Data transfer is only possible using another dedicated host, transfer.computational.bio.uni-giessen.de. User are able to connect to this host via sftp or rsync only.
Transfer files with scp
Add the following configuration to your ssh-config file.
Host transfer-bcf HostName transfer.computational.bio.uni-giessen.de User <your-username>
Now you should be able to transfer files from and to the bcf-system (your ssh key must be available in the ssh-agent).
# Upload a file > scp test transfer-bcf:/vol/sge-tmp/ test 100% 0 0.0KB/s 00:00 # Download a file > scp transfer-bcf:/vol/sge-tmp/test test2 ## No output
This should work with any openssh client release starting with version 9.0. Older releases might not work at all or might require using the undocumented option -s
. We recommend upgrading the client or using the other methods described below.
Transfer files with rsync
Use the same configuration as in the scp
-example above.You should be able to transfer files with rsync.
# Upload a file > rsync -v test transfer-bcf:/vol/sge-tmp/ test sent 81 bytes received 42 bytes 246.00 bytes/sec total size is 0 speedup is 0.00 # Download a file > rsync -v transfer-cb:/vol/sge-tmp/test . test sent 38 bytes received 89 bytes 84.67 bytes/sec total size is 0 speedup is 0.00
Transfer files with sftp
Use the same configuration as in the scp
-example above.You should be able to transfer files with sftp.
> sftp transfer-bcf:/vol/sge-tmp Connected to transfer-bcf. Changing to: /vol/sge-tmp sftp> put test Uploading test to /vol/sge-tmp/test test 100% 0 0.0KB/s 00:00 sftp> get test Fetching /vol/sge-tmp/test to test sftp> exit
Transfer files with other tools
Transfering data is not restricted to the command line tools presented above. You can use any tool that supports the sftp-protocol or the rsync protocol. For detail on how to setup these tools refer to the documentation of these tools.
Using git over ssh
SSH connections to the internet are also possible via the central jump host. In order to tell git to use the jump host, you may edit your ssh config file or you may set the core.sshCommand variable.
Setting the core.sshCommand variable
It might be the easier and more flexible way to add the jump host to your git config, as you can override this setting per repository, if you like.
git config --global core.sshCommand 'ssh -J login.computational.bio.uni-giessen.de'
Editing the ssh config file
Per default the ssh config file is located at ~/.ssh/config. You may add a record for each repository hub you like to reach out, e.g. github.com, gitlab.com, bitbucket.com and so on. You may also use wildcards in the Host string.
A basic configuration could look like:
Host github.com gitlab.com bitbucket.com ProxyJump login.computational.bio.uni-giessen.de
Beware that the ssh configuration file is used by openssh for all ssh connections and not only when using git!